Who stole the cookies from the cookie jar? Google, that’s who

Author

Director, Centre for Software Practice, University of Western Australia

Disclosure statement

David Glance does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Apple blocks cookies from third parties and advertisers by default. This should mean that if you use Safari, advertisers shouldn’t be able to track you as you move from site to site on the web.

Google discovered a way to get around this. A technical glitch in the Safari application could be used to allow Google (and others) to get around the restriction. This in turn allowed advertisers to install their cookies and track them from site to site.

Google claimed that if users had signed into Google then they were implicitly asking for features that Apple was blocking – in this case, the ability to click the +1 button that Google has added to advertising on websites. In the company’s opinion, this overrode Apple’s attempts to block such features.

In good company?

For all Google’s posturing about being justified in circumventing Apple’s restrictions, it has reacted quickly, disabling its code. It has also changed statements on its site advising how people can opt out of having advertisers track users.

The site previously claimed Safari users were already protected from advertising tracking. This statement has been removed.

Since the discovery that Google was circumventing users’ privacy settings in Safari, a similar claim has been made about Google getting around the default privacy settings in Microsoft’s Internet Explorer.

While this claims seems to be true, Microsoft is using a privacy protection standard called P3P that is yet to be widely accepted or adopted.

There is software people can use to permanently stop tracking from advertisers on Google’s networks. But this software is not available for Safari and wouldn’t be available for Safari on the iPhone or iPad in any case.

Lest we think it’s only Google that has been caught with its fingers in the “cookie jar”, Facebook removed a page this weekend (cached version) that also highlighted how to circumvent Safari’s restrictions. Ironically, this was on a page called Developer Best Practices.

Not that long ago, Facebook sparked outrage when it was found to be still tracking users after they had logged out of the service. It seems that, despite such lessons, companies such as Google are still willing to risk public anger rather than jeopardise profits from advertising.

Privacy and ethics

There is also the perception by Google, Facebook and others that, just because the public is sharing more things with more people, there is a corresponding decrease in concern about privacy. Obviously this is a convenient belief to hold and possibly explains why these companies are not setting themselves higher ethical standards.

In this they are helped by the public’s still-limited understanding about privacy on the internet and, more importantly, people’s lack of knowledge of what they can do to protect their privacy.

Software manufacturers are not helping very much. The help file for Safari’s private browsing mode, for instance, says Safari does not keep information about “pages you visit, your search history, or your AutoFill information”.

Sharing cookies

Another little-known fact is that Google shares cookies across all of its different sites. This occurs even if you are not logged into Google. A particular identifier (“NID”) is set in a cookie as soon as you visit one of Google’s sites, such as www.google.com and then is passed to other sites, such as YouTube.

In this way, Google is still able to collect information from visitors when they are not logged in. Cookies that are installed on your machine when you visit a Google site are created to last at least six months.

US representatives Edward J. Markey, Joe Barton and Cliff Stearns have called on the US Federal Trade Commission (FTC) to investigate Google’s evasion of Safari’s privacy settings.

We will wait and see what the FTC does. In Google’s case, it seems clear only legislation will make it change its behaviour.